When Patches Aren't Applied: Page 2

FEATURE: Security experts estimate that barely 50 percent of all
software security patches are applied by enterprise IT administrators. With
all the threats circulating, why the indifference?'Important' Patch Issued But Not for NT

"It is quite possible, companies have chosen, for better or worse, to use
their money on marketing as
opposed to patching systems. It is, in many cases, a straightforward
decision," Lindner said, warning that
it's dangerous to downplay the serious risk that can be caused by an exposed
system.

David Litchfield, co-founder of Next
Generation Security Software (NGSS), estimated that less than 5 percent
of vulnerable systems are patched in a timely manner. "Within a few weeks of
the advisory going out, about 20 percent are fixed but I'd say about 50
percent of enterprises don't even bother to apply the patches," he said in
an interview from his U.K. office.

"A large part of the problem is that the administrator is not even aware
of the patch. It is surprising that in some enterprises, there are no
vulnerability assessment (VA) tools being used," he argued.

At other times, Litchfield said IT admins are simply "fed up" with the
large amount of patches being issued and are content to wait for service
packs that provides a bulk fix. That's why the Code Red and
Slammer attacks were so successful. There were literally millions of
unpatched systems around the world," he added.

Litchfield called on governments around the world to take the lead in
educating companies and consumers
about the serious risks involved with bad software. "It would be a good
start a massive user awareness campaign but the problem is coaching people
to read those documents. It's like taking the horse to the
water but you can't make them drink."

Secunia's Kristensen agreed that user awareness was a huge problem, even
with the increased publicity from the mainstream media. "One of the big
reasons why people aren't installing patches is the lack of
knowledge about them actually existing," he declared.

During internal research, Kristensen said admins are more eager to patch
a hole in a Web server or a
mail server but, even then, only about 50 percent of the holes in
susceptible servers are plugged.

"Even with all the media attention, I don't think there's much more than
two-thirds of services out
there that's been updated," he added.

Crying Wolf?

Then, there is the cry-wolf syndrome, born out of too many 'critical'
warnings being issued, particularly by Microsoft. The Redmond, Wash.-firm
acknowledged
there were legitimate fears that too many high-level alerts were being
issued.

Steve Lipner, director of security assurance for Microsoft, recently
announced the Severity Rating
Criteria would be modified to specify clearly which bugs needed to be
addressed immediately.

"There is also a widespread feeling that the Severity Ratings are
difficult to understand and apply. For these reasons, we have modified (the
criteria) to help customers more easily evaluate the impact of security
issues," Lipner explained.

Of Microsoft's 72 warnings in 2002, more than half were tagged with the
'critical' rating. Of the ten
issued this year, five have been described as critical. The 'critical'
rating is reserved only for "a
vulnerability whose exploitation could allow the propagation of an Internet
worm without user action,"
Microsoft explained.

The new ratings criteria carry an 'important' tag for flaws that could
result in compromise of the
confidentiality, integrity, or availability of users' data, or of the
integrity or availability of processing resources. Below that, the company
issues 'moderate' or 'low' warnings.

For CERT/CC's Lindner, the issue goes beyond software vulnerabilities and
points to faults with the engineering process. "The root cause of
problematic patches and problematic software is bad software engineering
practices. That's where we have to fix things," Lindner declared.

"When we find flaws in software and we have to build a patch, we're using
the same bad software engineering practices to build the patch to fix the
software that's poorly engineered. It's a vicious circle," he added.

Even as the experts continue to decry the slow pace of patch
applications, Lindner suggested a two-fold approach to fixing things.
First, he called for widespread adoption of better software enginnering
practices and, more importantly, widespread adoption of developing foolproof
architecting protocols.

He said too many built-in flaws were being discovered in some of the most
crucial protocols. "Even if you wrote error-free software, there would still
be vulnerabilities because the protocols themselves have problems. That's
what he have to concentrate on fixing," said Lindner.